The vulnerability exists due to an uninitialized variable in the "CLayout::EnsureDispNode" method. This method is called to recalculate the location of various HTML elements within the page. This function passes a "CDispNodeInfo" object to another function, "CLayout::GetDispNodeInfo," which is supposed to initialize the object passed in; however, the function fails to properly initialize a flag's value that is used later to determine how many "extra" bytes to allocate for a heap buffer. This eventually leads to an undersized buffer being allocated to hold a "CDispClipNode" object in the "CLayout::EnsureDispNodeCore" function. The vulnerability manifests itself when the "CDispNode::SetUserClip" function attempts to use the invalid "extra size" to calculate an offset into the object and manipulate a bit at this location. This corrupts the objects VTABLE by setting the second bit to 1, which can lead to the execution of arbitrary code when this pointer is accessed l ater.

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the Web page. To exploit this vulnerability, a targeted user must load a malicious Web page. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious Web page, no further user interaction is needed.